Skip to content
This repository has been archived by the owner on Nov 17, 2023. It is now read-only.

NUM‐CODEX DSF 0.9.2 Deployment

Hauke Hund edited this page Aug 23, 2023 · 2 revisions

See NUM-CODEX Install 0.9.3 for the latest release.


This setup guide uses pre-build docker images for DSF Version 0.9.2. This guide is not suitable for HiGHmed organizations.
If you are a member of HiGHmed, see HiGHmed Install.

Prerequisites

Virtual Machines

  • DSF FHIR VM: min. 4 GB RAM, 4 vCPU, 20 GB HDD
  • DSF BPE VM: min. 4 GB RAM, 4 vCPU, 20 GB HDD

Docker / Docker-Compose

Both VMs need latest docker and docker-compose. For the latest install guide see https://docs.docker.com/engine/install and https://docs.docker.com/compose/install

docker:

sudo apt-get update
sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io

docker-compose (warning: 2.17.3 might not be latest):

sudo curl -L "https://github.com/docker/compose/releases/download/v2.17.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Client/Server Certificates

Two Certificates from the DFN-PKI Global G2 (via DFN e.V.), GÉANT TCS (via DFN e.V.) or D-Trust (via TMF e.V.) are needed, more infos see Authentication

  • Certificate A: Server Certificate (DFN PKI Profile: 'Web Server', Common-Name: Your external DSF FHIR Servers FQDN)
  • Certificate B: Client Certificate (DFN PKI Profile: '802.1X Client', Common-Name: Your DSF BPE Servers FQDN)

Network setup / Network access

For additional information on the network setup see Network-and-Architecture.

  • The DSF FHIR server needs to be accessible via the internet and able to access the internet without TLS interception.
  • The BPE FHIR server should only be accessible by the internal network and able to access your DSF FHIR server via its external FQDN and the internet without TLS interception.

Here is a quick overview of the expected network setup. Connections to the fTTP, the terminology server and simplifier.net for validating GECCO FHIR resources as well as the local GECCO FHIR server are not listed:

Source Target Port Protocol
DSF BPE (local) DSF FHIR (local) 443 https, wss
DSF BPE (local) DSF FHIR (GECCO Transfer Hub) 443 https
DSF FHIR (local) DSF FHIR (GECCO Transfer Hub) 443 https (HTTP HEAD only)
DSF BPE (GECCO Transfer Hub) DSF FHIR (local) 443 https
DSF FHIR (GECCO Transfer Hub) DSF FHIR (local) 443 https (HTTP HEAD only)

On-Boarding Excel Spreadsheet

You are required to fill out the on-boarding Excel spreadsheet, provided with the NUM-CODEX hackathon invite, and send it to the GECCO Transfer Hub. If the GECCO Transfer Hub already received and validated your On-Boarding Excel spreadsheet and you do not have to change any information, you can skip this step.

Setup

Prepare Certificates

  1. Server Certificate (certificate A)
    This certificate will be used as the DSF FHIR servers server certificate (ssl_certificate_file.pem, ssl_certificate_key_file.pem)

    • Store PEM encoded certificate as ssl_certificate_file.pem
    • Store unencrypted, PEM encoded private-key as ssl_certificate_key_file.pem
  2. Client Certificate (certificate B)
    This certificate will be used as the DSF BPE servers client certificate (client_certificate.pem, client_certificate_private_key.pem) as well as the DSF FHIR servers client certificate (client_certificate.pem, client_certificate_private_key.pem)

    • Store PEM encoded certificate as client_certificate.pem
    • Store encrypted or not encrypted, PEM encoded private-key as client_certificate_private_key.pem

DSF FHIR Server

  1. Add Group/User
    Add group and user used by the DSF FHIR java application. Ubuntu compatible commands below:

    sudo addgroup --gid 2101 fhir
    sudo adduser --system --no-create-home --uid 2101 --gid 2101 fhir
    
  2. Download and Extract Config Files
    Download prepared DSF FHIR server config files and folder structure from

    The tar command will unpack the config files at /opt/fhir assuming you changed into the /opt directory.

  3. Verify that the fhir system user or group can write into the following folder

    • /opt/fhir/log
  4. Add certificates and keys

    • Add the server certificate (certificate A) and the corresponding private-key to /opt/fhir/secrets/
      • ssl_certificate_file.pem (chmod: 440, chown: fhir:docker)
      • ssl_certificate_key_file.pem (chmod: 440, chown: fhir:docker)
    • Add the client certificate (certificate B) and the corresponding private-key to /opt/fhir/secrets/
      • client_certificate.pem (chmod: 440, chown: fhir:docker)
      • client_certificate_private_key.pem (chmod: 440, chown: fhir:docker)
    • If the private key is encrypted, add a password file with the password as the only content to /opt/fhir/secrets/
      • client_certificate_private_key.pem.password
    • If the private key is not encrypted, remove the corresponding docker secret lines from the docker-compose.yml file
      L39:      - app_client_certificate_private_key.pem.password
      ...
      L56:      ORG_HIGHMED_DSF_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE: /run/secrets/app_client_certificate_private_key.pem.password
      ...
      L137:  app_client_certificate_private_key.pem.password:
      L138:    file: ./secrets/client_certificate_private_key.pem.password
      
  5. Uncomment one of the certificate chain entries in the docker-compose file base on the certificate authority that signed your DSF FHIR server certificate (certificate A). For example use the following two lines if the server certificate is signed by DFN-Verein Global Issuing CA

    L102:  ssl_certificate_chain_file.pem:
    L103:    file: ./secrets/ssl_certificate_chain_file_DFN-Verein.pem
    
  6. Modify database passwords

    • /opt/fhir/secrets/db_liquibase.password
      • Generate a random password (min. 32 characters recommended) and replace the content of the file.
    • /opt/fhir/secrets/db_user.password
      • Generate a random password (min. 16 characters recommended) and replace the content of the file.
    • /opt/fhir/secrets/db_user_permanent_delete.password
      • Generate a random password (min. 16 characters recommended) and replace the content of the file.
  7. Modify the docker-compose.yml file and set environment variables to the appropriate values

    • services -> proxy -> environment:
    • services -> app -> environment:
      • ORG_HIGHMED_DSF_FHIR_SERVER_FQDN: TODO_DSF_FRIR_SERVER_EXTERNAL_FQDN
        Set your FHIR servers external FQDN, e.g. foo.bar.de
      • ORG_HIGHMED_DSF_FHIR_SERVER_BASE_URL: https://TODO_DSF_FRIR_SERVER_EXTERNAL_FQDN/fhir
        Set your FHIR servers external FQDN, e.g. foo.bar.de -> https://foo.bar.de/fhir
      • ORG_HIGHMED_DSF_FHIR_SERVER_ORGANIZATION_IDENTIFIER_VALUE: TODO_ORGANIZATION_IDENTIFIER
        Set your Organizations DSF identifier, aka the shortest FQDN that resolves to the main homepage of the organization, e.g. hs-heilbronn.de
      • ORG_HIGHMED_DSF_FHIR_SERVER_ORGANIZATION_NAME: TODO_ORGANIZATION_NAME
        Set your Organizations official name, e.g. Hochschule Heilbronn
      • ORG_HIGHMED_DSF_FHIR_SERVER_ORGANIZATION_THUMBPRINT: TODO_CLIENT_CERTIFICATE_THUMBPRINT
        Set the SHA-512 Hash (lowercase hex) of your client certificate (certificate B)
        Use certtool --fingerprint --hash=sha512 --infile=client_certificate.pem to generate the hash.
      • ORG_HIGHMED_DSF_FHIR_SERVER_USER_THUMBPRINTS: TODO_CLIENT_CERTIFICATE_THUMBPRINTS
        Set the SHA-512 Hash (lowercase hex) of your client certificate (certificate B)
        This parameter is a comma separated list e.g. ab12...37ff,f3a2...bb22. You can add additional client certificate thumbprints for example the thumbprint of your (the admins) personal DFN PKI S/MIME certificate, to access the DSF FHIR servers REST interface.
      • ORG_HIGHMED_DSF_FHIR_SERVER_USER_THUMBPRINTS_PERMANENT_DELETE: TODO_CLIENT_CERTIFICATE_THUMBPRINTS
        Set the SHA-512 Hash (lowercase hex) of your client certificate (certificate B)
        This parameter is a comma separated list e.g. ab12...37ff,f3a2...bb22. Usually it is not necessary to add additional thumbprints other than your client certificate (certificate B) here. When a client uses a certificate with a thumbprint listed here, the client is allowed to permanently delete FHIR resources.
      • For additional environment variables, see DSF 0.9.2 configuration parameters - FHIR Server
  8. Start the DSF FHIR Server
    Start using: docker-compose up -d && docker-compose logs -f (Ctrl-C will close log, but not stop container)

DSF BPE Server

  1. Add Group/User
    Add group and user used by the DSF BPE java application. Ubuntu compatible commands below:

    sudo addgroup --gid 2202 bpe
    sudo adduser --system --no-create-home --uid 2202 --gid 2202 bpe
    
  2. Download and Extract Config Files
    Download prepared DSF BPE server config files and folder structure from

    The tar command will unpack the config files at /opt/bpe assuming you changed into the /opt directory.

  3. Verify that the bpe system user or group can write into the following folders

    • /opt/bpe/log
  4. Add certificates and keys

    • Add the client certificate (certificate B) and the corresponding private-key to /opt/bpe/secrets/
      • client_certificate.pem (chmod: 440 chown: bpe:docker)
      • client_certificate_private_key.pem (chmod: 440 chown: bpe:docker)
    • If the private key is encrypted, add a password file with the password as the only content to /opt/bpe/secrets/
      • client_certificate_private_key.pem.password
    • If the private key is not encrypted, remove the corresponding docker secret lines from the docker-compose.yml file
      L13:      - app_client_certificate_private_key.pem.password
      ...
      L38:      ORG_HIGHMED_DSF_BPE_FHIR_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD_FILE: /run/secrets/app_client_certificate_private_key.pem.password
      ...
      L92:  app_client_certificate_private_key.pem.password:
      L93:    file: ./secrets/client_certificate_private_key.pem.password
      
    • Add the CRR public-key used for asymmetrically encrypting the GECCO FHIR Bundles to /opt/bpe/secrets/
  5. Modify database passwords

    • /opt/bpe/secrets/db_liquibase.password
      • Generate a random password (min. 32 characters recommended) and replace the content of the file.
    • /opt/bpe/secrets/db_user.password
      • Generate a random password (min. 16 characters recommended) and replace the content of the file.
    • /opt/bpe/secrets/db_user_camunda.password
      • Generate a random password (min. 16 characters recommended) and replace the content of the file.
  6. Modify the docker-compose.yml file and set environment variables to the appropriate values

    • services -> app -> environment:
      • ORG_HIGHMED_DSF_BPE_FHIR_SERVER_ORGANIZATION_IDENTIFIER_VALUE: TODO_ORGANIZATION_IDENTIFIER
        Set your Organizations DSF identifier, aka the shortest FQDN that resolves the main homepage of the organization, e.g. hs-heilbronn.de
      • ORG_HIGHMED_DSF_BPE_FHIR_SERVER_BASE_URL: https://TODO_DSF_FRIR_SERVER_FQDN/fhir
        Set your FHIR servers external FQDN, e.g. foo.bar.de -> https://foo.bar.de/fhir
      • For additional environment variables, see DSF 0.9.2 configuration parameters - BPE Server
  7. Start the DSF BPE Server (without process plugins)
    Start using: docker-compose up -d && docker-compose logs -f (Ctrl-C will close log, but not stop container)

  8. Verify DSF BPE Startup

    • Check that the BPE was able to download new Task resources from the DSF FHIR server during startup.
    • Check that the BPE was able to download a Subscription resource from the DSF FHIR server during startup.
    • Check that the BPE was able to connect to the websocket endpoint of the DSF FHIR server during startup.

    If you need to debug the TLS connection to your DSF FHIR server use for example:
    docker run -it --rm alpine/openssl s_client your-fhir-server.fqdn:443
    The command above should print the server certificate of your DSF FHIR server (certificate A) and end with a message like [...]tlsv13 alert certificate required[...]

  9. Stop the DSF BPE Server

    • Hit Ctrl-C to close log
    • Stop using: docker-compose stop
  10. Add the following DSF BPE process plugins, for instructions on how to configure the plugin, see release notes.

    Notice: Jar-files within the folders /opt/bpe/process and /opt/bpe/plugin need to be readable by the linxux bpe user -> chown root:bpe, chmod 440

  11. Start the DSF BPE Server (with process plugins)
    Start using: docker-compose up -d && docker-compose logs -f (Ctrl-C will close log, but not stop container)

Clone this wiki locally